1 2 3 Previous Next 34 Replies Latest reply on Jan 12, 2011 1:43 AM by t.himaja

    WS-Security Newbie Question...

    lafaserem

      Hi!

      Sorry for the question 'cause actually it's a really newbie one :) but I'm just getting crazy trying to find some kind of tutorial of implementing WS-Security in JBoss... something like "My first WS-Security web service" or "Step-by-step 'Hello World' or 'Echo' Web Service with WS-Security".

      I've seen several documents explaining things about WSSE, and I have created my keystore and truststore but then when I try to continue I just get lost...

      If you could give me some advices or some links to look, I'll be very grateful...

      I've done my first 'Echo' web service: BottomUp, TopDown, my first client, etc... and now I'm trying to implement the same Echo WebService but requiring signature (I'm not so interested in any kind of encryption, just signature)

      Thanks ;)

        • 1. Re: WS-Security Newbie Question...
          asoldano
          • 2. Re: WS-Security Newbie Question...
            peterj

            If I recall correctly, this discussion has a complete example http://www.jboss.com/index.html?module=bb&op=viewtopic&t=105580

            • 3. Re: WS-Security Newbie Question...
              lafaserem

              Alessio.. yes... I've already read that link. Thanks anyway ;)

              Peter.. Also I've already read that post, but I'm still lost (sorry.. these are my first days working with web services and I'm getting a bit crazy hehe)

              I'm gonna write everything I'm doing (surely there will be a lot of mistakes, but well.. all the beginnings are tough... :P) and I would appreciate a lot if you could give me a hand in this...

              First... SERVER

              Hello.java

              package wssec;
              
              import javax.jws.WebMethod;
              import javax.jws.WebParam;
              import javax.jws.WebService;
              import javax.jws.soap.SOAPBinding;
              
              import org.jboss.ws.annotation.EndpointConfig;
              
              @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
              @EndpointConfig(configName = "Standard WSSecurity Endpoint")
              @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
              public class Hello
              {
               @WebMethod
               public String echo(@WebParam(name = "param1") String param1)
               {
               return param1;
               }
              }
              


              I compiled it with
              javac -d . -classpath jboss-jaxws.jar;jboss-client.jar *.java
              


              I've made my keystore with the command:

              keytool -genkey -keystore wsse.keystore -storepass jbossws -keyalg RSA -alias wsse -validity 365
              


              Then I exported the certificate with:
              keytool -export -file wsse.cer -keystore wsse.keystore -storepass jbossws -alias wsse
              


              And created the truststore with
              keytool -import -alias wsse -file wsse.cer -keystore wsse.truststore -storepass jbossws
              


              web.xml
              <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
               version="2.4">
               <display-name>Hello</display-name>
               <servlet>
               <servlet-name>Hello</servlet-name>
               <servlet-class>wssec.Hello</servlet-class>
               <load-on-startup>1</load-on-startup>
               </servlet>
              
               <servlet-mapping>
               <servlet-name>Hello</servlet-name>
               <url-pattern>/Hello</url-pattern>
               </servlet-mapping>
              </web-app>
              


              jboss-wsse-server.xml
              <?xml version="1.0" encoding="UTF-8"?>
              
              <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_
              0.xsd">
               <key-store-file>WEB-INF/wsse.keystore</key-store-file>
               <key-store-password>jbossws</key-store-password>
               <trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
               <trust-store-password>jbossws</trust-store-password>
               <config>
               <sign type="x509v3" alias="wsse"/>
               <requires>
               <signature/>
               </requires>
               </config>
              </jboss-ws-security>
              


              I create my .war with
              jar cvf Hello.war WEB-INF
              


              and the structure of WEB-INF is
              WEB-INF
              | jboss-wsse-server.xml
              | wsse.keystore
              | wsse.truststore
              | web.xml
              | classes
              | | Hello.class

              Once done this I copy Hello.war into jboss4-2-2GA\server\default\deploy and everything seems to be OK

              Once that I have the WS deployed on the server which are the steps I have to follow for build my client? I only want to transmit signed messages, not interested in encryption...

              This might seem a stupid topic, but I'm getting lost, 'cause this is new for me and I'm not able to find any "very very very basic" documents...

              Thanks ;)

              • 4. Re: WS-Security Newbie Question...
                peterj

                On the client side, you will need the keystore and truststore. You can use the same ones used at the server, but if that it not possible (or not desireable) you will need to do more work with setting up the server keystore and truststore, and also create client keystore and truststore.

                When packaging the client, include in the META-INF directory the files:
                * client keystore
                * client truststore
                * jboss-wsse-client.xml (looks like the server one you listed above)
                * standard-jaxws-client-config.xml (get it from deploy/jbossws.sar/META-INF, remove all of the client-config entries except the one named "Standard WSSecurity Client")

                I can direct you to a location where the steps to do this are documented, but it is not free.

                • 5. Re: WS-Security Newbie Question...
                  asoldano

                   

                  "PeterJ" wrote:

                  * standard-jaxws-client-config.xml (get it from deploy/jbossws.sar/META-INF, remove all of the client-config entries except the one named "Standard WSSecurity Client")


                  This shouldn't be required, you just need to specify the jbossws conf:
                  ((StubExt)port).setConfigName("Standard WSSecurity Client");
                  



                  I can direct you to a location where the steps to do this are documented, but it is not free.


                  Otherwise you might take a look at the org.jboss.test.ws.jaxws.samples.wssecurity samples in the src distro.



                  • 6. Re: WS-Security Newbie Question...
                    peterj

                    Just a note to let lafaserem know that the code

                    ((StubExt)port).setConfigName("Standard WSSecurity Client");

                    is JBossWS-specific. I prefer to keep my Java code generic and place container-specific things into configuration files, make the code easier to port.

                    Now, if the config name could be set using an annotation, that would be ideal because other containers would ignore the annotation.

                    I also remembered an excellent description of keystores and truststores, perhaps that will be helpful http://www.jboss.com/index.html?module=bb&op=viewtopic&t=94406

                    • 7. Re: WS-Security Newbie Question...
                      lafaserem

                      Hi!

                      Ok.. now actually I'm about getting crazy!! :)

                      PeterJ, which is that location? I don't mind if it's not free... I have tried to send you a "PM" but it seems it doesn't work...

                      My problem is implementing the client in Java.. I think I have all the files I have to package.

                      I'm gonna explain all the things I've done with the client

                      Hello.java

                      package wssec;
                      
                      import javax.jws.WebMethod;
                      import javax.jws.WebParam;
                      import javax.jws.WebService;
                      import javax.jws.soap.SOAPBinding;
                      
                      import org.jboss.ws.annotation.EndpointConfig;
                      
                      @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
                      @EndpointConfig(configName = "Standard WSSecurity Endpoint")
                      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
                      public class Hello
                      {
                       @WebMethod
                       public String echo(@WebParam(name = "nombre") String nombre)
                       {
                       return nombre;
                       }
                      }


                      HelloClient.java
                      package wssec;
                      
                      import java.io.File;
                      import java.net.URL;
                      import java.util.Map;
                      
                      import javax.xml.namespace.QName;
                      import javax.xml.ws.BindingProvider;
                      import javax.xml.ws.Service;
                      
                      import org.jboss.ws.core.StubExt;
                      
                      public class HelloClient
                      {
                       public static void main(String args[])
                       {
                       if (args.length != 1)
                       {
                       System.err.println("usage: HelloClient <message>");
                       System.exit(1);
                       }
                      
                       System.setProperty("org.jboss.wsse.keyStore", "c:/keys/wsse.keystore");
                       System.setProperty("org.jboss.wsse.keyStorePassword", "jbossws");
                       System.setProperty("org.jboss.wsse.keyStoreType", "x509v3");
                       System.setProperty("org.jboss.wsse.trustStore", "c:/keys/wsse.truststore");
                       System.setProperty("org.jboss.wsse.trustStorePassword", "jbossws");
                       System.setProperty("org.jboss.wsse.trustStoreType", "x509v3");
                      
                       try{
                       Hello hello = getPort();
                       System.out.println("Server said: " + hello.echo(args[0]));
                       } catch (Exception e){
                       e.printStackTrace();
                       }
                       }
                      
                       private static Hello getPort() throws Exception
                       {
                       URL wsdlURL = new URL("http://127.0.0.1:8080/Hello/Hello?wsdl");
                       URL securityURL = new File("META-INF/jboss-wsse-client.xml").toURL();
                       QName serviceName = new QName("urn:ws.sec", "HelloService");
                      
                       Service service = Service.create(wsdlURL, serviceName);
                      
                       Hello port = (Hello)service.getPort(Hello.class);
                       ((StubExt)port).setSecurityConfig(securityURL.toExternalForm());
                       ((StubExt)port).setConfigName("Standard WSSecurity Client");
                      
                       Map<String, Object> reqContext = ((BindingProvider)port).getRequestContext();
                       reqContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://127.0.0.1:8080/Hello");
                      
                       return port;
                       }
                      
                      }
                      


                      jboss-wsse-client.xml
                      <?xml version="1.0" encoding="ISO-8859-1"?>
                      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                      <config>
                      <sign type="x509v3" alias="wsse"/>
                      <requires>
                      <signature/>
                      </requires>
                      </config>
                      </jboss-ws-security>
                      


                      The keystore and the truststore are the same as the server's ones.

                      The structure is
                      wssec
                      | Hello.class
                      | HelloClient.class
                      META-INF
                      | wsse.keystore
                      | wsse.truststore
                      | jboss-wsse-client.xml

                      When I run the client, I do it like this:

                      wsrunclient prueba.HelloClient "Hello"
                      


                      What am I missing? Shall I do anything more? Or maybe less? :)

                      Thanks a lot.. ;)

                      • 8. Re: WS-Security Newbie Question...
                        lafaserem

                        Ups... I forgot to say that of course wsse.keystore and wsse.truststore are placed at c:\keys

                        Thanks ;)

                        • 9. Re: WS-Security Newbie Question...
                          asoldano

                           

                          "lafaserem" wrote:

                           System.setProperty("org.jboss.wsse.keyStoreType", "x509v3");
                           System.setProperty("org.jboss.wsse.trustStoreType", "x509v3");
                          

                          Why "x509v3"? Try with "jks" that should be the type of key stores you generated.

                          This said, what's the problem you have? your conf seems OK, are you getting any exception? How do you understand something is wrong? Please post some log/error here so that we can better understand.


                          • 10. Re: WS-Security Newbie Question...
                            lafaserem

                            This is the error that it's giving to me when I run

                            wsrunclient wssec.HelloClient "Hello"
                            


                            [Fatal Error] :1:1: Content is not allowed in prolog.
                            org.jboss.ws.WSException: java.io.IOException: org.xml.sax.SAXParseException: Co
                            ntent is not allowed in prolog.
                             at org.jboss.ws.metadata.config.JBossWSConfigFactory.getNamespaceURI(JBo
                            ssWSConfigFactory.java:116)
                             at org.jboss.ws.metadata.config.JBossWSConfigFactory.parse(JBossWSConfig
                            Factory.java:80)
                             at org.jboss.ws.metadata.config.JBossWSConfigFactory.getConfig(JBossWSCo
                            nfigFactory.java:134)
                             at org.jboss.ws.metadata.umdm.EndpointMetaData.initEndpointConfig(Endpoi
                            ntMetaData.java:704)
                             at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigNameInternal(End
                            pointMetaData.java:695)
                             at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigName(EndpointMet
                            aData.java:679)
                             at org.jboss.ws.metadata.builder.jaxws.JAXWSClientMetaDataBuilder.proces
                            sEndpointConfig(JAXWSClientMetaDataBuilder.java:323)
                             at org.jboss.ws.metadata.builder.jaxws.JAXWSClientMetaDataBuilder.rebuil
                            dEndpointMetaData(JAXWSClientMetaDataBuilder.java:287)
                             at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPortInternal(Servi
                            ceDelegateImpl.java:262)
                             at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPort(ServiceDelega
                            teImpl.java:233)
                             at javax.xml.ws.Service.getPort(Service.java:185)
                             at wssec.HelloClient.getPort(HelloClient.java:46)
                             at wssec.HelloClient.main(HelloClient.java:31)
                            Caused by: java.io.IOException: org.xml.sax.SAXParseException: Content is not al
                            lowed in prolog.
                             at org.jboss.wsf.common.DOMUtils.parse(DOMUtils.java:156)
                             at org.jboss.ws.metadata.config.JBossWSConfigFactory.getNamespaceURI(JBo
                            ssWSConfigFactory.java:111)
                             ... 12 more
                            


                            The WSDL file is taken directly from the server. It seems to be an error with some XML file structure, but I don't know which one can be the one that is giving me the mistake...

                            Thanks ;)

                            P.d: I've changed the keyStore and trustStore Type to "jks"

                            • 11. Re: WS-Security Newbie Question...
                              asoldano

                              Last time I didn't noticed this: on the client side you should have the interface of you web service, not the implementation. This applies for every webservice client.
                              And of course the interface you use on the client side (which can be generated by wsconsume, otherwise you can code it manually, it is easy for your service) should not have the @EndpointConfig with the server endpoint configuration ;-)

                              • 12. Re: WS-Security Newbie Question...
                                lafaserem

                                Ups... Ok... That's was consecuence of so many "copy-paste"s that I have done during all these days :)

                                My Hello.java file is now like this:

                                package wssec;
                                
                                import javax.jws.WebMethod;
                                import javax.jws.WebParam;
                                import javax.jws.WebResult;
                                import javax.jws.WebService;
                                import javax.xml.ws.RequestWrapper;
                                import javax.xml.ws.ResponseWrapper;
                                
                                
                                /**
                                 * This class was generated by the JAX-WS RI.
                                 * JAX-WS RI 2.1.1-b03-
                                 * Generated source version: 2.0
                                 *
                                 */
                                @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
                                public interface Hello {
                                
                                
                                 /**
                                 *
                                 * @param nombre
                                 * @return
                                 * returns java.lang.String
                                 */
                                 @WebMethod
                                 @WebResult(targetNamespace = "")
                                 @RequestWrapper(localName = "echo", targetNamespace = "urn:ws.sec", className = "sec.ws.Echo")
                                 @ResponseWrapper(localName = "echoResponse", targetNamespace = "urn:ws.sec", className = "sec.ws.EchoResponse")
                                 public String echo(
                                 @WebParam(name = "nombre", targetNamespace = "")
                                 String nombre);
                                
                                }
                                


                                but now I have this error:
                                Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xml/securi
                                ty/Init
                                 at org.jboss.ws.extensions.security.SecurityEncoder.<init>(SecurityEncod
                                er.java:47)
                                 at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleOutbound(
                                WSSecurityDispatcher.java:302)
                                 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutbou
                                ndSecurity(WSSecurityHandler.java:95)
                                 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient.handle
                                Outbound(WSSecurityHandlerClient.java:45)
                                 at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericH
                                andler.java:55)
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                ndlerChainExecutor.java:295)
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                ndlerChainExecutor.java:140)
                                 at org.jboss.ws.core.jaxws.client.ClientImpl.callRequestHandlerChain(Cli
                                entImpl.java:160)
                                 at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:297)
                                 at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
                                
                                 at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:16
                                4)
                                 at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:15
                                0)
                                 at $Proxy15.echo(Unknown Source)
                                 at wssec.HelloClient.main(HelloClient.java:32)
                                


                                I don't know what's happening now.. I'm with it, but if you see something, i'll be grateful for your advices ;)

                                At least now I see errors refering to WSSecurity and that makes me happy hehe :)

                                Thanks ;)

                                • 13. Re: WS-Security Newbie Question...
                                  asoldano

                                  You need xmlsec.jar in your classpath.

                                  • 14. Re: WS-Security Newbie Question...
                                    lafaserem

                                    Ok... I have now added xmlsec.jar into "JBOSS_HOME/lib/endorsed" and recompile (just in case...) and the wsrunclient again... and I got this error:

                                    javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: An
                                     internal WS-Security error occurred. See log for details
                                     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFa
                                    ilure(HandlerChainExecutor.java:276)
                                     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                    ndlerChainExecutor.java:155)
                                     at org.jboss.ws.core.jaxws.client.ClientImpl.callRequestHandlerChain(Cli
                                    entImpl.java:160)
                                     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:297)
                                     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
                                    
                                     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:16
                                    4)
                                     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:15
                                    0)
                                     at $Proxy15.echo(Unknown Source)
                                     at prueba.HelloClient.main(HelloClient.java:32)
                                    Caused by: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security e
                                    rror occurred. See log for details
                                     at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(
                                    WSSecurityDispatcher.java:105)
                                     at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleOutbound(
                                    WSSecurityDispatcher.java:311)
                                     at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutbou
                                    ndSecurity(WSSecurityHandler.java:95)
                                     at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient.handle
                                    Outbound(WSSecurityHandlerClient.java:45)
                                     at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericH
                                    andler.java:55)
                                     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                    ndlerChainExecutor.java:295)
                                     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                    ndlerChainExecutor.java:140)
                                    


                                    Thanks again for your interest :)

                                    1 2 3 Previous Next